Once upon a time, there was a manager, dedicated to his job, who sometimes took his laptop with him on vacation. Although the laptop held sensitive information, he wasn't about to lug it around with him as he partook of the benefits offered by the local establishments located around his favorite vacation destination. Leaving it in a locked car seemed to be the smart thing to do. After all, who would think of breaking a window to steal a computer?
This manager's employer also lived in a fairy tale world, believing password protection for laptops was sufficient security. Even when the laptops contained sensitive information about its customers.
This is a "close enough" description of the world in which an unnamed, fired manager lived and worked in the UK. According to The Register,
Colchester University Hospital has sacked one of its managers over the theft of his work laptop, which contained unencrypted patient records.
The PC - which was stolen from the manager's care in June - contained copies of the personal details and treatment plans of several thousand patients. Thieves took the machine after breaking into the car, which was parked in Edinburgh at the time, where the unnamed manager was holidaying." Source: Colchester Hospital sacks manager over lost laptop, John Leyden, The Register, 12 August 2008
Of course, the hospital's response prompted an immediate reaction from readers of the article. At the time I read the article, there were a total of 27 opinions on who should really be blamed for the data loss. It's those comments I want to assess in this post. As a disclaimer, I want to note that the article did not go into a lot of detail about the specifics concerning why data was on the laptop, why the laptop was in a manager's care while he was on vacation, or why the data wasn't encrypted. I don't care about these things at the moment. My biggest concern is the inevitable finger-pointing when something like this occurs.
Finger-pointing is a time wasting blame-game that usually accomplishes very little. It has similarities to Nero's fiddling while Rome burned. The kinds of comments made when an unprotected laptop is stolen are reasonably represented in the following table.
This table represents, in general, the opinions of the 27 respondents to the article described above. It's sorted from high to low, relative to number of comments supporting each of five positions.
The top three are statistically the same, with seven people placing the blame squarely on the employee, six blaming the hospital, and five believing the responsibility should be shared between the manager and the hospital. This is followed by a small number asking a very good question, why was the laptop with the manager while on vacation in the first place? Instead of finger pointing, I like taking an after action review approach, resolving a vulnerability or two.
An objective look at the situation, given the limited information provided, reveals the following contributors to the stolen patient data.
- The laptop data was not encrypted
- Sensitive data had been copied to the laptop
- The laptop was left locked in a car, accessible to anyone with a hammer or a rock
Encrypting laptop drives where users might store sensitive information is simply the right thing to do. No organization, whether health care or other, should expect laptops to be safe from loss of theft. This is management's responsibility. Expecting users not to store sensitive information on their portable computers is naive, which brings us to the second point.
Some respondents believe sensitive information should be kept off laptops. OK, maybe. Organizations that don't encrypt mobile computing devices should probably prohibit this. But doesn't lack of local information sort of defeat the purpose of mobile computing? Yes, I know. They should just connect via VPN or some other method and access information on centralized storage, but remote connectivity isn't always available. If employees are given mobile computing devices, it's the employer's responsibility to ensure the devices are secure computing environments, regardless of how data is "supposed" to be stored and processed.
The final point is one I ask often, whenever one of our employees calls in to report a laptop stolen from his or her car. Why was it in the car, unattended, accessible with a big rock? The company's responsibility? Policies should exist dictating how mobile users should protect laptops. They should be supported by employee awareness (e.g. having mobile users sign a document stating they understand relevant policies) and sanctions, including dismissal.
Should Colchester Hospital have terminated the manager's employment? I don't know. I don't have enough information. On the surface, however, it appears that two of the three responsibilities I identified rest on the shoulders of the hospital's executive management. Instead of trying to place blame, maybe everyone should sit down and calmly identify what happened, what should have happened, what are the gaps, and how to we do better next time? It might make everyone (except the manager) feel better to fire someone, but it doesn't really accomplish anything if done without taking steps to fix the real problems.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.